PUA- IOX Tunneling Tool Execution
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
Sigma rule (View on GitHub)
1title: PUA- IOX Tunneling Tool Execution
2id: d7654f02-e04b-4934-9838-65c46f187ebc
3status: test
4description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
5references:
6 - https://github.com/EddieIvan01/iox
7author: Florian Roth (Nextron Systems)
8date: 2022-10-08
9modified: 2023-02-08
10tags:
11 - attack.command-and-control
12 - attack.t1090
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\iox.exe'
19 selection_commandline:
20 CommandLine|contains:
21 - '.exe fwd -l '
22 - '.exe fwd -r '
23 - '.exe proxy -l '
24 - '.exe proxy -r '
25 selection_hashes:
26 # v0.4
27 - Hashes|contains:
28 - "MD5=9DB2D314DD3F704A02051EF5EA210993"
29 - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
30 - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
31 - md5: '9db2d314dd3f704a02051ef5ea210993'
32 - sha1: '039130337e28a6623ecf9a0a3da7d92c5964d8dd'
33 - sha256: 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'
34 condition: 1 of selection*
35falsepositives:
36 - Legitimate use
37level: high
References
Related rules
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux